Now we use the apxs (Apache Extension Tool) to build our extension modules for Apache:

1

apxs-i-a-L/usr/local/lib-I/usr/local/include-lGeoIP-cmod_geoip.c

If you haven’t got apxs then you’ll need to install httpd-devel.

Be aware that this overwrites httpd so backup your server in case this fails or you get strange results.

1

yum install httpd-devel

If this fails with “Error: Nothing to do”, then it’s fairly common. You’ll probably find that /etc/yum.conf is blocking the installation. We can get around this by either editing the configuration file or typing:

In this series of articles I am trying to help server admins and owners of VPS or Dedicated servers to find viruses or malware on their servers. Part of the diagnosis of your system is to see what emails are being sent out and from which accounts. Since spammers like to use compromised servers, I believe that it makes sense to check regularly that the emails being sent out roughly match what you would expect to see.

I have servers that I host client websites on. If a client who usually sends out 20 emails a month suddenly sends out 500 then this is cause for concern and I would immediately investigate the server for malware.

On linux systems, Exim (the mail transfer agent) already logs the working directory of messages sent to the queue by a script. Here’s an example of what you would expect to see in an exim_mainlog file:

Note: I like to use Notepad++ to analyze these large text files within Windows as other editors aren’t quite up to the task.

So it looks like there’s some function of the ‘fredbloggs’ website that auto-backs up the database, then sends a related email notice to whatever email address the webmaster provides, in this case, fredbloggs@gmail.com. The working directory for the generation of that message was “/home/fredbloggs/public_html”. Nothing suspicious here as we have an auto-backup program installed on this WordPress-powered website. Nothing to see here, move along please…

Again, possibly normal but I’d raise the question whether Jane changed her email address on WordPress. If not, this is cause for concern. It’s a kind of detective work where you need to step back and look at all of the evidence to compile a big picture.

So, let’s run this beauty of a command against the exim_mainlog to give us an idea from which working directories our server gets messages sent to the mail queue:

The exim_mainlog records the arrival and delivery of all emails. It explains where the mail came from, to which address it was delivered, the hostname of the server and more. Additional details can be added to this log file by using extended logging in exim. Your output would be something like this on most systems:

Shell

1

8/home/janedoe/public_html/wp-content/plugins/cforms

So within the last 30 days, the /cforms directory has sent 8 messages to the queue. Cforms is a defunct WordPress plugin and now, as such, unsupported by the developer against exploits. Would you expect that Jane’s website should do that? A result like this isn’t necessarily suspicious as this is normal contact form use. Something like this, however, would be VERY suspicious:

1

815/home/janedoe/public_html/images

I can’t think of a valid reason why an ‘images’ directory should be sending mail, so alarm bells would trigger and that’s definitely something I would look into further.

So, presuming we saw strange usage numbers or a bizarre path, let’s dig even deeper and look at what the Subject of Jane’s emails actually were, as this gives us an indication of spam activity. Change directory into /var/log

I am certainly impressed by the way that Tresorit seems to be handling security and also the openness of their company about methods they use and reject.

Their recent blog post shows that they are really trying to excel in the online backup industry by pushing current protocols beyond the standard ‘accepted’ limits.

When we designed Tresorit, we were faced with two contrary options: using widespread, well-tested, standardized, industry standard protocols and creating (or implementing) new, stronger protocols. We decided to combine the best of these approaches: we use the strongest standard one, and extend it with our protocol on a way that if our protocol fails, it fallback to the standard one.

I worked for many years in the computer security and penetration testing arena and most encryption methods I previously struggled to get past are now easily cracked by anyone with a laptop, some free software and some common sense. Times move on and you can’t presume something is safe because there are no current published exploits for it.

Tresorit is a relatively new but forward-thinking company that seem to have got their security levels right rather than waiting on the day they are compromised to address this. Keep up the good work Tresorit and keep pushing the boundaries of encryption.

The popular image resizing library TimThumb, used in many a good WordPress theme has had a major exploit carried out against versions of its code. The TimThumb code vulnerability allows third parties to execute PHP code in the TimThumb cache directory after uploading it themselves. As many people are aware, running malicious PHP code can easily compromise a website or an entire server.

We recommended deleting timthumb.php or thumb.php or indeed the complete theme or plugin when this zero day exploit was announced. There is a later version of TimThumb available that now patches this vulnerability.

If the file exists in a theme or plugin that you’re no longer using you may want to remove the entire theme or just the relevant plugin directory. After you remove the TimThumb library, check your site is still working as it should.

If using the later version, please check that you set ALLOW_EXTERNAL to false like this:

1

define('ALLOW_EXTERNAL',false);

then find the $allowedSites array inside the file and completely remove the associated domain names to prevent remote file downloading like this:

Websites are plagued with bad bots and often come grinding to a halt without the aid of a bot blocking tool. Here, I’ll review the latest kid on the block, Spyder Spanker.

First off, Spyder Spanker is a WordPress plugin, so if you don’t have a WordPress powered site then you’re out of luck. If you do however, then read on, it’s pretty impressive. Here’s a video that shows its merits:

Spyder Spanker full review

Initially installing the tool is as simple as uploading your provided zip file to your server via the WordPress plugin page. Once uploaded and activated, Spyder Spanker installs itself as an admin menu item. There, you can add your licence details and you are straight in to the interface, a very neatly styled area where each component is separately presented to you.

Allow trusted bots

Setting up the plugin is very easy because all of the major trusted bots are whitelisted. By trusted, I mean the ones you actually WANT to come to your site such as GoogleBot, BingBot etc. Without these, the search engines wouldn’t know your site content and you would never get listed in the search engine results pages. This is something that is a welcome addition to the software, other packages leave it up to you to select your own trusted bots.

Disallow bad bots

You don’t even need to add any bad bots either because these are also setup when the plugin installs. Bots such as Baidu (Chinese search bot) and Yandex (Russian search bot) are unneccesary on many English language sites as they steal bandwidth to add you to their results pages, regularly returning to your pages to re-crawl them and taking valuable bandwidth.

Allowing individual bots

OK, so we have a good setup straight out of the box, but let’s dig a bit deeper and see what we can modify. Let’s take the scenario where an English language website sells products to China. If this is the case then it would make sense to allow the Baidu bot to index the website. To do this is a simple 2-click operation, tick the Baidu bot and then click on ‘Remove selected’. Very slick and no messing about with CSF firewall rules or .htaccess country-blocking or IP address blocking rules.

The differences between Spyder Spanker and other tools

I wanted to point out that Spyder Spanker is predominantly a bot blocker and doesn’t do a lot of what tools like WP Better Security does such as secure admin areas, make files ineditable etc. What it does excel at is blocking the bots that use your resources on a daily basis and it can throttle back the good bots when they spider your site aggresively too.

WP Better Security comes with a basic list of bad bots for .htaccess (which I use) but they’re a bit more devious these days and use new names. Here is an example of a logfile entry in Spyder Spanker:

This is a bot you won’t generally find on many htaccess blacklists but it’s a ‘rule-breaker’ for sure. SS responded by blocking it and will pass the rule to my other sites and the community network.

Let’s be honest, a bot with a gmail address probably shouldn’t be trusted that much anyway!

Spyder spanker review – the verdict

I’d thoroughly recommend you buy this tool, you’ll recoup any outlay back in a short time with reduced bandwidth fees, time saved and more sales if you run any type of ecommerce or affiliate site. One thing though, go with the Pro upgrade that is presented as a “One Time Offer” when you have paid for the basic version because Spyder Spanker Pro integrates beutifully with Project Honeypot. This means that it can be run ‘hands-off’ and will be updated against the raft of ever-increasing spammers and bad bots out there. Add this to the community update facility and you’ll be protected for years to come across ALL of your domains.

Minecraft, the multiplayer, block-destroying game has had a serious DOS attack. Although as yet unproven, it is believed to be the work of the hacker group ‘Anonymous’. The servers did go down but are currently back up and running.

Another group, LulzSec, have been finger-pointed too and they are now taking ‘site hacking requests’! Their recent attacks include EVE Online and The Escapist amongst others.

LastPass has been subject to a serious hack attack. If you are getting errors where LastPass cannot log you in then your first step is to attempt a login via the plugin AND via the website immediately afterwards.

LP stated that significant traffic had left one of its primary servers – traffic that could have included the users’ email addresses, server salt and salted password hashes. Whilst this is often normal, LP couldn’t track down the root cause and elevated this to a high risk level.

As news filters in of the attack, people with LastPass accounts are hitting their servers trying to change their passwords. This is putting a huge strain on the LastPass servers and consequently they are trying to reduce the load while trying to keep security at a maximum.

You should change your LastPass master password if it is not a very secure one immediately. By not secure I mean anything from the dictionary or common passwords like Letmein, L3tM3In, abc123, pa55word etc. The reason for this is that the breach of LastPass’s security systems allowed an attack that could potentially “reverse” the encrypted password stored and generate your password to the attacker. This type of ‘brute-force’ attack works quickly on weak passwords but takes, months, years even decades depending on the complexity of a password. The best type of password contains a mixture of capital letters, numbers, non-alphabetical characters (!, *, $ etc) and is a minimum of eight characters in length.

LastPass have been proactive in this and immediately owned up to the event which I believe is admirable. The fact that they didn’t email every user is a failure though, even if they simply pointed people towards their website with an explanation.

For me, if the system has been breached and the cause unknown, asking for password changes is a very dubious course of action. LP have now changed the method so that you can temporarily authenticate a PC via an email link.

With some users getting a message like “Your account settings have restricted you from logging in from this mobile device.” they have had to resort to exporting contacts and deleting/recreating their LastPass account.

I tested this against Joomla 1.5.12 and indeed it is a security hole that can easily be exploited.

TinyBrowser is a plugin for the TinyMCE JavaScript editor that acts as a file browser to view, upload, delete and rename files and folders on your server.

Vulnerabilities

1. Default Insecure Configurations

Configuration settings shipped by default in the Tiny Browser are insecure and many uploaders of this plugin will not change them. I have recently audited a couple of Joomla based sites for clients and found this to be the case.
jscripts/tiny_mce/plugins/tinybrowser is the default access path.

I remember fckeditor suffering a similar problem a while back and the final payload in a teaser directory is very similar.

2. Folder Creation by path request

Requesting /tinybrowser.php?type=image&folder=abc123 creates a folder named “abc123″ in the /useruploads/images/ directory.

All major actions such as create,delete,rename files/folders are GET/POST
XSRF-able.

All in all, a nasty vulnerability that requires instant patching. I am seeing lots of requests for this pathname on non-Joomla sites so there are lots of automated bot attacks out there. Patch up or be hacked.